Hi all, I want to create a shorewall config that routes all packets that would be dropped to a gateway on a separate interface. I try do it by modification of the DROP target to mark these packets with a INTERCEPT connmark (and ACCEPT them) and use a different routing table (std. policy routing) with a default route to the separate interface. The problem: I want to use the filter tables generated by shorewall to do the filtering, but the packets are already routed when they reach the filter tables. So I cannot route the first packet of a connection to this special interface, hence no real connection intercept is possible. Any ideas for workarounds? greets, Roman ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
DI Roman Fiedler wrote:> Any ideas for workarounds?No. Shorewall does filtering in the ''filter'' table which, as you have noted, is traversed after the packets have been routed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> DI Roman Fiedler wrote: > > >> Any ideas for workarounds? >> > > No. Shorewall does filtering in the ''filter'' table which, as you have > noted, is traversed after the packets have been routed. > > -Tom > >Is there any way to push the packet back to the start? I noticed that there are some strange targets I do not fully understand (like MIRROR, NFQUEUE). The original packet could be dropped but an indentical copy would enter protocol stack again, so that the conntrack setups are already ok, all marks are correct so that prerouting would work as expected (make the first packet the second so that it will work). Roman ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
DI Roman Fiedler wrote:> Tom Eastep wrote: >> DI Roman Fiedler wrote: >> >> >>> Any ideas for workarounds? >>> >> No. Shorewall does filtering in the ''filter'' table which, as you have >> noted, is traversed after the packets have been routed. >> >> -Tom >> >> > Is there any way to push the packet back to the start? I noticed that > there are some strange targets I do not fully understand (like MIRROR, > NFQUEUE). The original packet could be dropped but an indentical copy > would enter protocol stack again, so that the conntrack setups are > already ok, all marks are correct so that prerouting would work as > expected (make the first packet the second so that it will work). >You would be better served to ask these questions on the Netfilter list rather than here. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> DI Roman Fiedler wrote: > >> Tom Eastep wrote: >> >>> DI Roman Fiedler wrote: >>> >>> >>> >>>> Any ideas for workarounds? >>>> >>>> >>> No. Shorewall does filtering in the ''filter'' table which, as you have >>> noted, is traversed after the packets have been routed. >>> >>> -Tom >>> >>> >>> >> Is there any way to push the packet back to the start? I noticed that >> there are some strange targets I do not fully understand (like MIRROR, >> NFQUEUE). The original packet could be dropped but an indentical copy >> would enter protocol stack again, so that the conntrack setups are >> already ok, all marks are correct so that prerouting would work as >> expected (make the first packet the second so that it will work). >> >> > > You would be better served to ask these questions on the Netfilter list > rather than here. > > -Tom >Yes, I guess I will try there, thanks. Roman ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/